Quick Information About POODLE SSLv3 Attack

Information about this breaking SSL attack is coming in from a variety of sources.  I will share some better links.

A couple of articles to get you started sent to me via Jan Schaumann (Twitter: @jschauma).  The Errata article describes browser settings you can apply to stop POODLE’s dead in their tracks.

Errata Security: Some POODLE Notes
Matthew Green: Attack of the Week, POODLE

Next, a link from Oona Räisänen (Twitter: @windyoona) for a POODLE test tool to check if your browser is vulnerable.

POODLE Test

For OS X users who would like to run Chrome or Firefox with command line options from the desktop read-on.

To easily click an open from your desktop, create a bash script, like the following.  Use VI, TextEdit, TextMate, TextWrangler, or your favorite text editor.

#!/bin/bash
#
open -a “Google Chrome” –args –ssl-version-min=tls1 &

Save the preceding to a file named, chrometls.command.  Open the directory where chrometls.command is stored, on my system I store scripts in ~/bin.   Next you need to make sure chometls.command is executable, run the following.

chmod +x chrometls.command

Now open up Finder and drop a copy of chrometls.command you created on your desktop.  Double-click this file on your desktop and OS X you will launch Chrome – bada bing, bada boom, your done!

If the terminated shell is messing with your OCD there is an option to automatically close shell windows once the command or script terminates.  Open a Terminal, from the Terminal preferences on the profile tab you will see a set of drop down options, “When the shell exits”.  Change the value to be, “close if the shell exited cleanly”.  After you launch the browse the shell will close automagically.  I write some shell scripts on occasion but not usually under OS X so I thought I would pass this along for those in need.

When I run Chrome in this way I see the Springfield Terrier, indicating I’m not vulnerable, the command line arguments from Errata work for me.

–Milton

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/